[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: question about dnssec-protocol-04

To: namedroppers@ops.ietf.org
Subject: Re: question about dnssec-protocol-04
From: Rob Austein <sra+namedroppers@hactrn.net>
Date: Mon, 22 Dec 2003 15:17:08 -0500
In-reply-to: <200312221445.36740.davidb@verisignlabs.com>
References: <200312221445.36740.davidb@verisignlabs.com>
User-agent: Wanderlust/2.10.1 (Watching The Wheels) Emacs/21.3 Mule/5.0 (SAKAKI)

At Mon, 22 Dec 2003 14:45:36 -0500, David Blacka wrote:
> 
> draft-ietf-dnsext-dnssec-protocol-04, section 2.3 has the following 
> paragraph:
> 
>    An NSEC record (and its associated RRSIG RRset) MUST NOT be the only
>    RRsets at any particular owner name.  That is, the signing process
>    MUST NOT create (or RRSIG) RRs for owner names nodes which were not
>    the owner name of any RRset before the zone was signed.
> 
> [There is an editing nit here, too: s/MUST NOT create (or/MUST NOT create 
> NSEC (or/, I think.]
> 
> I feel sure that I have just forgotten the discussion about this, but why 
> does this restriction exist?  What harm would NSEC records of this sort 
> cause?
> 
> It is true that I cannot think of any useful reason to do this, but 
> forbidding such NSEC records should have some real problem associated with 
> it.

Empty non-terminals.

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Follow-Ups:
- Re: question about dnssec-protocol-04
  - From: David Blacka <davidb@verisignlabs.com>

References:
- question about dnssec-protocol-04
  - From: David Blacka <davidb@verisignlabs.com>

Prev by Date: question about dnssec-protocol-04
Next by Date: I-D ACTION:draft-ietf-dnsext-nsec-rdata-03.txt
Previous by thread: question about dnssec-protocol-04
Next by thread: Re: question about dnssec-protocol-04
Index(es):
- Date
- Thread